b'May 4, 2010\n\nROSS PHILO\nEXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER\n\nJOHN T. EDGAR\nVICE PRESIDENT, INFORMATION TECHNOLOGY SOLUTIONS\n\nDEBORAH J. JUDY\nDIRECTOR, INFORMATION TECHNOLOGY OPERATIONS\n\nCHARLES L. MCGANN\nMANAGER, CORPORATE INFORMATION SECURITY\n\nSUBJECT: Audit Report \xe2\x80\x93 Certification and Accreditation Process\n        (Report Number IS-AR-10-008)\n\nThis report presents the results of our self-initiated audit of the U.S. Postal Service\xe2\x80\x99s\nCertification and Accreditation (C&A) process (Project Number 09RG032IS000). The\nobjective was to determine whether the C&A process for critical applications is effective\nin identifying and mitigating risks in a timely manner. This audit addresses operational\nrisk. See Appendix A for additional information about this audit.\n\nPostal Service policy requires management to complete the C&A process for all\nsensitive-enhanced,1 sensitive,2 and critical information resources to include\ncertification, accreditation, and approval before deployment into the production\nenvironment. This formalized process ensures an application has adequate security\ncontrols to manage risk throughout the application\xe2\x80\x99s life cycle. Key objectives of the\nC&A process are to assess threats, define security requirements and controls, test\nsecurity solutions, and evaluate the security controls and processes for the application.\n\nConclusion\n\nThe Postal Service\xe2\x80\x99s implementation of the C&A process for critical applications is not\neffective in identifying and mitigating risks in a timely manner. Management can\nstrengthen the C&A process by providing Corporate Information Security (CIS) the\nauthority necessary to ensure the process is completed for critical applications before\n1\n  Handbook AS-805, Section 3-2.3.2, Sensitive-Enhanced Information \xe2\x80\x93 includes hardcopy or electronic information\nor material that is not designated as classified but warrants or requires enhanced protection.\n2\n  Handbook AS-805, Section 3-2.3.3, Sensitive Information \xe2\x80\x93 includes hardcopy or electronic information or material\nthat is not designated as classified or sensitive-enhanced but warrants or requires protection.\n\x0cCertification and Accreditation Process                                                               IS-AR-10-008\n\n\n\ndeployment, applications are recertified when required, and high residual risks3 are\nmitigated.4 Further, management should ensure C&A documentation is maintained in a\ncentral location and the C&A information is updated in the\n\n\nWe consider two findings identified in this audit report \xe2\x80\x93 C&A Process and C&A\nDocumentation and Maintenance \xe2\x80\x93 as repeat findings of similar issues identified in prior\nU.S. Postal Service Office of Inspector General (OIG) reports.5 Management agreed\nwith the prior findings and, subsequently, closed the related recommendations in their\nformal tracking system. See Prior Audit Coverage for additional information related to\nthese reports.\n\nC&A Process\n\nManagement deployed at least 226 applications, classified as critical to Postal Service\noperations, into production before completing the required C&A process. In addition,\nmanagement did not recertify applications within required timeframes. Policy7 requires\nrecertification for critical applications every 3 years, unless the application must comply\nwith Payment Card Industry (PCI) Data Security Standard (DSS)8 requirements, when\nannual recertification is required.\n\nManagement classified 77 production applications as critical to Postal Service\noperations.9 The following table displays the C&A process status for the 77 critical\nproduction applications.\n\n\n\n\n3\n  Residual risk is the risk that remains after management has taken action to reduce the impact and likelihood of an\nadverse event, including control activities in responding to a risk. If the risks are categorized as high, the risk must be\nmitigated by using a continuous process that reduces risk by implementing cost-effective security measures.\n4\n  We calculated a non-monetary impact of approximately $360 million for data at risk of loss\n                                                             application. See Appendix C for the non-monetary impact\ncalculation.\n5\n  OIG report Information Security Assurance Process (Report Number IS-AR-06-009, dated May 4, 2006) and report\nInformation Systems Disaster Recovery Process (Report Number IS-AR-04-004, dated March 10, 2004).\n6\n  We identified 22 applications that were placed in production without completed C&As \xe2\x80\x93 the eight In Progress, nine\nNot Started (see Table 1), and five of the sample applications we reviewed (see Table 3). However, this list may not\nbe all inclusive as we did not perform a comprehensive review of all 77 critical applications.\n7\n  Handbook AS-805, Section 8-4.1, What the C&A Process Covers, and Section 8-5.7.9, Re-Initiate C&A.\n8\n  The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption\nof consistent data security measures globally. As of September 5, 2006, the Postal Service was required to comply\nwith these standards.\n9\n  A classification of critical is given to applications classified as critical to Postal Service operations. If the application\nsupports one of six functions \xe2\x80\x93 for example, protecting customer or employee life, safety, or health \xe2\x80\x93 the application\nwill receive a critical classification.\n\n\n\n                                                               2\n\x0cCertification and Accreditation Process                                                       IS-AR-10-008\n\n\n\n\n                                     Table 1: C&A Process Status\n\n\n                                  C&A Process Status                     Applications\n                            Completed                                          60\n                            In Progress                                         8\n                            Not Started                                         9\n                            Total                                              77\n\nIn addition, 23 of the 60 applications with completed C&As were overdue for\nrecertification. Seven of the 23 must comply with PCI annual recertification\nrequirements. See Appendix D for a complete list of applications in each category.\n\nWe judgmentally selected eight applications, from the 60 with completed C&As, for\nfurther detailed review. Five of the eight applications were deployed into production\nbefore completing the C&A process.\n\nThe CIS is responsible for managing the C&A process;10 however, CIS does not have\nthe authority necessary to enforce and execute the responsibilities when dealing with\nindividuals outside the CIS reporting structure or whose positions are more senior within\nthe organization. Further, policy does not require C&A training for the vice presidents,\nexecutive sponsors, or portfolio managers who are involved in the C&A process. As a\nresult, these individuals may not be aware of their role and responsibility when\nconducting the C&A or understand the magnitude of the risks they are willing to accept\non behalf of the Postal Service. In addition, portfolio managers and executive sponsors\nare not held accountable for incorporating the C&A process and the required\ndocumentation into the application\xe2\x80\x99s Technology Solutions Life Cycle (TSLC) process.\n\nIn response to a similar finding in a prior audit report,11 management agreed to\ncomplete the Information Security Assurance (ISA)12 process for applications already\nplaced in production. On May 4, 2006, management closed the related recommendation\nin their formal tracking system; however, because this issue continues to exist, we\nconsider this a repeat finding. When the C&A process is incomplete, management\nincreases the potential for disclosure of sensitive data that may negatively impact the\nPostal Service brand. See Appendix B for our detailed analysis of this topic.\n\n\n10\n   Handbook AS-805, Section 2-2.4 (e.), Manager, Corporate Information Security Office.\n11\n   U.S. Postal Service Office of Inspector General (OIG) report, Information Security Assurance Process (Report\nNumber IS-AR-06-009, dated May 4, 2006).\n12\n   In 2008, CIS changed the ISA process to the C&A process to align it with terminology other federal agencies use.\nThe C&A process and required documentation is incorporated into the TSLC process and should be conducted\nconcurrently with the development and deployment of new information resources.\n\n\n\n\n                                                         3\n\x0cCertification and Accreditation Process                                                    IS-AR-10-008\n\n\n\n\nWe recommend the executive vice president and chief information officer:\n\n1. Provide Corporate Information Security the authority necessary to enforce and\n   execute the responsibilities for managing the Certification and Accreditation process.\n\nWe recommend the executive vice president and chief information officer direct the\nmanager, Corporate Information Security, to:\n\n2. Update Handbook AS-805, Information Security, to require mandatory annual\n   training on the Certification and Accreditation process for all portfolio managers.\n\n3. Ensure all portfolio managers receive mandatory training regarding their role,\n   responsibility, and accountability for implementing and reinitiating the Certification\n   and Accreditation process. This training should also be made available to all\n   executive sponsors.\n\n4. Hold portfolio managers accountable to complete the Certification and Accreditation\n   process within the Technology Solutions Life Cycle prior to implementing critical\n   applications into the production environment.\n\n5. Complete the Certification and Accreditation process for all critical applications\n   currently in production, as required by Handbook AS-805, Information Security.\n\n6. Ensure the portfolio managers work with the executive sponsors to initiate the\n   recertification process for critical applications assigned to their functional areas as\n   required by Handbook AS-805, Information Security.\n\nUnmitigated Residual Risks\n\nManagement could not provide evidence that all high residual risks were mitigated for\ncritical applications in production as agreed to during the C&A process. Specifically,\nmanagement could not provide documentation to indicate risks were mitigated for seven\nof the eight production applications reviewed. For example, the risk mitigation plan\n(RMP) for the                  listed multiple high-risk vulnerabilities that were scheduled\nto be mitigated by October 31, 2007. However, management could not provide\ndocumentation to show they mitigated these risks.\n\nPolicy13 allows the portfolio managers and executive sponsors to review the RMP,\naccept the residual risks, and approve the application for deployment. However, there is\nno formal, centralized mechanism to track the status of residual risks identified in the\nRMP. Further, no single entity is held accountable for tracking these risks and ensuring\nthey are resolved as stated in the RMP and recertification letter. As a result,\n\n13\n     Handbook AS-805, Section 8-5.7.1, Executive Sponsor and Portfolio Manager Make Decision to Deploy.\n\n\n\n                                                         4\n\x0cCertification and Accreditation Process                                    IS-AR-10-008\n\n\n\nmanagement cannot ensure critical production applications are adequately protected to\nprevent security threats and vulnerabilities. Unauthorized disclosure or misuse of\ninformation could result in significant financial loss that may have a negative impact on\nthe Postal Service brand. We quantified the risks associated with the                   at\napproximately $360 million in non-monetary\n\n            See Appendix B for our detailed analysis of this topic and Appendix C for\nour non-monetary impact calculation.\n\nWe recommend the executive vice president and chief information officer direct the\nmanager, Corporate Information Security, to:\n\n7. Develop a formal, centralized mechanism to track the status of all unmitigated\n   residual risks identified in the applications\xe2\x80\x99 risk mitigation plan.\n\n8. Input unmitigated residual risks identified in the applications\xe2\x80\x99 risk mitigation plan into\n   the formal, centralized tracking mechanism and track the risks through resolution.\n\nWe recommend the manager, Corporate Information Security, coordinate with the vice\npresident, Information Technology Solutions, and the director, Information Technology\nOperations, to:\n\n9. Work with executive sponsors to resolve unmitigated residual risks identified in the\n   risk mitigation plans and recertification letters associated with the critical\n   applications.\n\nC&A Documentation and Maintenance\n\nManagement is not consistently maintaining C&A documentation in the TSLC Artifacts\nand CIS Team Documents libraries or updating the status of key C&A documentation in\nthe EIR.\n\n    \xef\x82\xa7   The TSLC Artifacts and CIS Team Documents libraries are repositories that\n        contain finalized project deliverables for all technology solutions. At present,\n        management maintains C&A documentation in both locations. However, we were\n        unable to locate a completed C&A documentation package in either location for\n        the 60 applications listed in the EIR as having completed the C&A process.\n        Policy does not designate either library as the official repository for storing the\n\n\n\n\n                                              5\n\x0cCertification and Accreditation Process                                                   IS-AR-10-008\n\n\n\n         C&A documentation. Policy also does not assign a single entity responsible for\n         maintaining the C&A documentation.\n     \xef\x82\xa7   The EIR is a repository that provides centralized access to the application\xe2\x80\x99s\n         information to include designated fields for entering key information instrumental\n         to the C&A process. However, information entered in the fields was inconsistent,\n         inaccurate, or missing. Although management attempted to assign responsibility\n         for maintaining application information in the EIR in policy;15 no single entity is\n         held accountable for updating and validating information related to the C&A\n         process.\n\nManagement agreed to add the C&A documentation to an online repository in a\nprevious OIG report.16 In addition, management agreed to resolve inconsistencies in the\nEIR data in two previous reports.17 Although management has closed each of the\napplicable recommendations from the prior reports, these issues continue to exist.\nTherefore, we consider these issues repeat findings. By resolving these issues,\nmanagement could simplify the C&A process \xe2\x80\x93 making the process more effective and\nefficient \xe2\x80\x93 and ensure gaps in the C&A process are identified to make timely and\ncredible decisions for securing and managing these applications. See Appendix B for\nour detailed analysis of this topic.\n\nWe recommend the executive vice president and chief information officer direct the\nmanager, Corporate Information Security, to:\n\n10. Establish policy to designate a central repository for storing the Certification and\n   Accreditation documentation.\n\n11. Update Handbook AS-805, Information Security, to designate a single entity\n   responsible for uploading the Certification and Accreditation information in the\n   central repository for all critical applications.\n\n12. Input the Certification and Accreditation documentation for all critical applications\n    into the central repository.\n\n13. Update Handbook AS-805, Information Security, to designate a single entity for\n    updating and validating the Certification and Accreditation information in the\n    Enterprise Information Repository for all critical applications.\n\nManagement\xe2\x80\x99s Comments\n\n\n15\n   Handbook AS-805, Section 2-2.11, Portfolio Managers, Section 2-2.29, Information Systems Security Officers,\nSection 3-3.3, Recording Information Resource Classification and Categories of Information Processed, Section 9-\n9.3, Relationship of Criticality, Recovery Time Objective, and Recovery Point Objective, and Section 9-9.5,\nInformation Resource Recovery and Reconstitution.\n16\n   OIG report Information Security Assurance Process (Report Number IS-AR-06-009, dated May 4, 2006).\n17\n   OIG report Information Security Assurance Process (Report Number IS-AR-06-009, dated May 4, 2006) and report\nInformation Systems Disaster Recovery Process (Report Number IS-AR-04-004, dated March 10, 2004).\n\n\n\n                                                       6\n\x0cCertification and Accreditation Process                                   IS-AR-10-008\n\n\n\nManagement agreed with the 13 recommendations. In response to recommendation 1,\nmanagement stated that the CIS manager has the responsibility to manage and\nadminister the C&A process. In addition, it is the manager, Corporate Information\nTechnology (IT) Portfolios, and the director, IT Operations\xe2\x80\x99, responsibility to perform the\ntask assignments. Management believes this line of authority is in place and, therefore,\nrequested closure of this recommendation.\n\nTo address recommendations 2 and 3, management will update Handbook AS-805,\nInformation Security, to reflect the requirement for the manager, Corporate IT Portfolios,\nand the director, IT Operations, to require mandatory training on the C&A process for all\nportfolio managers and staff. Management will provide this training annually. The\ntargeted completion dates are December 31, 2010, for recommendation 2 and\nSeptember 30, 2010, for recommendation 3.\n\nIn response to recommendation 4, management stated that proper completion of the\nC&A requirements are already part of the TSLC; however, management will add\nadditional compliance monitoring to ensure the TSLC process is followed. Targeted\ncompletion date is immediately for new critical application production implementations.\n\nTo address recommendations 5 and 6, management will complete the C&A process,\nincluding the recertification process, for all critical applications. The exceptions will be\nthe various Enterprise Data Warehouse (EDW) Datamarts that are covered by the EDW\nInfrastructure Impact Assessment. The targeted completion date for both\nrecommendations is March 31, 2011.\n\nTo address recommendations 7 through 9, CIS will research and implement an\nautomatic tracking system to enter all unmitigated risks cited in the application\xe2\x80\x99s risk\nmitigation plan. Once successfully implemented, CIS will use the automatic tracking\nsystem functionality to notify the manager, Corporate IT Portfolios, and the director, IT\nOperations, of their responsibilities to perform the task assignments and work with the\nexecutive sponsor to resolve unmitigated risks associated with the application identified\nin the risk mitigation plan. The targeted completion date for these recommendations is\nDecember 31, 2010.\n\nIn response to recommendations 10 through 12, CIS will update Handbook AS-805-A,\nInformation Resource Certification & Accreditation Process, to reflect the requirement\nfor the manager, Corporate IT Portfolio, and the director, IT Operations, to designate\nand utilize the TSLC Artifacts library as the central repository for storing C&A\ndocumentation. Portfolio program managers will also be responsible for, and will input,\nC&A information to the TSLC Artifacts Library. The targeted completion date for\nrecommendations 10 and 11 is December 31, 2010. The targeted completion date for\nrecommendation 12 is immediately per existing TSLC responsibilities.\n\nIn their original response to recommendation 13, management stated Handbook AS-\n805-A, Information Resource Certification & Accreditation Process, Section 2-6 (g)\n\n\n\n                                             7\n\x0cCertification and Accreditation Process                                 IS-AR-10-008\n\n\n\ncurrently outlines this requirement. Specifically, policy states executive sponsors are\nresponsible for ensuring the C&A documentation package is securely stored and kept\ncurrent for the information resource life cycle. Management stated this process is\ncurrently in place and, therefore, requested closure of this recommendation.\n\nSee Appendix E for management\xe2\x80\x99s comments in their entirety.\n\nIn a subsequent discussion with the OIG, management amended their comments to\nrecommendation 13 to state that they will update the handbook to indicate the portfolio\nprogram manager is responsible for updating the EIR with status of the C&A for all\ncritical applications. The targeted completion date is December 30, 2010.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\ntheir corrective actions should resolve the issues identified in the report. However, we\ndo not agree that recommendation 1 should be closed at this time. We support\nmanagement\xe2\x80\x99s decision to designate the manager, CIS, be responsible for executing\nthe C&A process. However, it is imperative that the manager also be given the authority\nto enforce the requirements with individuals outside his work group. We believe a\nreliable gauge to measure the success of this effort will be the CIS manager\xe2\x80\x99s ability to\nsuccessfully complete the C&A process for all critical applications by the March 31,\n2011, targeted completion date specified in management\xe2\x80\x99s response to\nrecommendation 5. This recommendation will remain open until management can\nprovide evidence that the intent of the recommendation has been met.\n\nThe OIG considers recommendations 1 through 13 significant and, therefore, requires\nOIG concurrence before closure. Consequently, the OIG requests written confirmation\nwhen corrective action is completed. These recommendations should not be closed in\nthe Postal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written\nconfirmation that the recommendations can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at 703-248-2100.\n\n      E-Signed by Darrell E. Benjamin, Jr\n      VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc:       Sally K. Haring\n\n\n\n                                            8\n\x0cCertification and Accreditation Process                                   IS-AR-10-008\n\n\n\n                          APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nPostal Service policy requires management to complete the C&A process for all\nsensitive-enhanced, sensitive, and critical information resources to include certification,\naccreditation, and approval before deployment into the production environment. This\nformalized process ensures an application has adequate security controls to manage\nrisk throughout the application\xe2\x80\x99s life cycle. Key objectives of the C&A process are to\nassess threats, define security requirements and controls, test security solutions, and\nevaluate the security controls and processes for the application.\n\nA C&A documentation package is required for the information resource, which includes\na consolidation of the business impact assessment (BIA), vulnerability and risk\nassessment, security plan, contingency plan, and the security test and evaluation\n(ST&E) plan. To determine the criticality of the application, a BIA is prepared to ensure\ncompliance with privacy requirements, sensitivity and criticality, and appropriate security\nrequirements.\n\nCIS is responsible for managing the C&A process and providing guidance on\napplication security. The Corporate Information Technology and Field Applications\nPortfolios are responsible for supporting executive sponsors in developing the\napplication and completion of the C&A process. After completing the certification\nprocess, the executive sponsor and the portfolio manager may decide to deploy the\napplication even though high and/or moderate unmitigated residual risks remain.\nHowever, the executive sponsor and portfolio manager should jointly determine whether\nthe residual risks are acceptable, and, if so, prepare and sign a conditional acceptance\nletter and approve the application for deployment.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether the C&A process for critical applications is\neffective in identifying and mitigating risks in a timely manner. To accomplish this\nobjective, we reviewed the status of the C&A process for critical applications assigned a\nrisk criticality of \xe2\x80\x9chigh\xe2\x80\x9d and deployed into production. Specifically, we reviewed critical\napplications in the following C&A categories:\n\n    \xef\x82\xa7 Completed.\n    \xef\x82\xa7 In progress.\n    \xef\x82\xa7 Not started.\n    \xef\x82\xa7 Recertification in process.\n\nTo further review the status of the C&A process, we judgmental selected a sample of\neight applications from the 60 critical applications identified as having completed C&As.\n\n\n\n\n                                             9\n\x0cCertification and Accreditation Process                                  IS-AR-10-008\n\n\n\nThe table below lists the eight applications in our sample and identifies the applications\nthat are in-scope for PCI and Sarbanes Oxley (SOX) compliance.\n\n                                 Table 2: Sampled Applications\n\n\n\n\nWe reviewed C&A documentation included in the TSLC Artifacts and CIS team\ndocuments libraries for all critical production applications. The documentation reviewed\nincluded the BIA, security plan, ST&E plan, contingency plan, RMP, risk assessment\nand vulnerability scans, certification letter, accreditation letter, acceptance letter,\nconditional C&A letter, and recertification letter, if applicable. We also reviewed the\nresidual risks identified for the eight applications selected to determine whether\nmanagement mitigated risks according to the RMP and recertification letter. In addition,\nwe reviewed management\xe2\x80\x99s process for tracking the residual risks identified for\napplications deployed into production.\n\nFinally, we reviewed applicable C&A policies, procedures, roles and responsibilities,\nand interviewed key officials representing CIS, Corporate IT Portfolios, the Field\nApplications Portfolio, Business Continuance Management, and business owners from\nmultiple functional areas.\n\nWe conducted this performance audit from September 2009 through May 2010 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We reviewed computer\ngenerated data from the EIR and determined the data was unreliable for the purpose of\nconducting this audit. We discussed our observations and conclusions with\nmanagement on March 26, 2010, and included their comments where appropriate.\n\n\n\n\n                                              10\n\x0cCertification and Accreditation Process                                          IS-AR-10-008\n\n\n\n\n                                    PRIOR AUDIT COVERAGE\n\n      Report            Report            Final Report\n       Title            Number                Date Report                     Results\n   Information       IS-AR-06-009         May 4, 2006      Although the Postal Service has\n   Security                                                made progress in clearing the\n   Assurance                                               backlog of ISA projects and\n   Process                                                 implemented a comprehensive\n                                                           vulnerability testing program, further\n                                                           effort is needed to ensure the ISA\n                                                           processes are completed timely.\n                                                           Management should address issues\n                                                           related to EIR data accuracy,\n                                                           consistency, reliability, availability,\n                                                           and the need for a central location\n                                                           for storage. The report also noted\n                                                           managers had the ability to deploy\n                                                           systems before completing the ISA\n                                                           process. We made three\n                                                           recommendations to the Postal\n                                                           Service to complete the required\n                                                           deliverables for the applications\n                                                           identified as having missing\n                                                           documentation, to expedite the\n                                                           population of the online repository,\n                                                           and validate the reliability of the EIR\n                                                           data. Management agreed with and\n                                                           closed the recommendations in their\n                                                           formal tracking system on May 4,\n                                                           2006; September 27, 2007; and\n                                                           December 8, 2006, respectively.\n   Information       IS-AR-04-004         March 10, 2004    Managers do not always update EIR\n   Systems                                                  data elements for disaster recovery.\n   Disaster                                                 Data elements such as the BIA,\n   Recovery                                                 application disaster recovery plan\n   Process                                                  status, and testing information were\n                                                            missing or inaccurate. We\n                                                            recommended the Postal Service\n                                                            develop a process to enforce current\n                                                            policy to update the EIR data and\n                                                            improve the quality of data currently\n                                                            maintained in the EIR. Management\n                                                            agreed and closed the\n                                                            recommendation in their tracking\n                                                            system on November 5, 2004.\n\n\n\n\n                                                   11\n\x0cCertification and Accreditation Process                                                        IS-AR-10-008\n\n\n\n                                 APPENDIX B: DETAILED ANALYSIS\n\nC&A Process\n\nManagement deployed at least 22 critical applications into production before completing\nthe C&A process. In addition, management did not recertify applications as required.\nManagement identified 77 production applications with a critical classification of \xe2\x80\x9chigh.\xe2\x80\x9d\nSee Appendix D for details on the 77 critical applications.\n\nPolicy18 requires management to complete the full C&A process for all critical resources,\nculminating with the certification, accreditation, and approval documents for deploying\nthe information resource. All three documents are required before placing the\napplication into production. Policy19 also requires recertification for critical applications\nevery 3 years and every year for applications that must comply with the PCI DSS\nrequirements.\n\nWe judgmentally sampled eight applications for further review from the 60 critical\napplications with a completed C&A. As table 3 illustrates, management deployed five\napplications into production \xe2\x80\x93\nbefore completing the C&A process. In addition, the recertification is past due for five\napplications \xe2\x80\x93\n\n                            Table 3: Sampled Applications C&A Status\n\n\n                                                                                      Deployed\n                        Deployment         C&A Process          Recertification     Prior to C&A\n          Application       Date       Completion Date20          Due Date*          Completion\n                  05-27-1995                 07-09-2009 07-09-2012\n               10-0          1-2005          03-19-2008           03-19-2009 X\n                 10-01-1987                  06-17-2009 06-17-2014\n                    07-30-     2007 01-15-2008                    01-15-2009 X\n                10-01-1985                   06-17-2009 06-17-2014\n                    05-12-1999               03-19-200321         07-25-2007 X\n                    04-26-     2001 11-18-2008                    11-18-2009 X\n             02-29-2000                         None              02-24-2008 X\n         *Shading has been added to identify those applications whose recertification dates are past due.\n\nAlthough responsible for managing the C&A process, CIS does not have the authority\nnecessary to enforce and execute the responsibilities when dealing with individuals\noutside the CIS reporting structure or whose positions are more senior within the\n18\n   Handbook AS-805, Section 8-4.1, What the C&A Process Covers.\n19\n   Handbook AS-805, Section 8-5.7.9, Re-Initiate C&A.\n20\n   The EIR lists                              as legacy applications. The Postal Service placed these applications\ninto production before the current C&A process. As a result, the original certification documentation was unavailable\nfor these applications.\n21\n   The EIR did not list a C&A Process Completion Date for              ; however, the acceptance of accreditation\nletter for            was dated March 19, 2003.\n\n\n\n                                                          12\n\x0cCertification and Accreditation Process                                           IS-AR-10-008\n\n\n\norganization. Further, policy does not require C&A training for the vice presidents,\nexecutive sponsors, or portfolio managers who are involved in the C&A process. As a\nresult, these individuals may not be aware of their role and responsibility when\nconducting the C&A process or understand the magnitude of the risks they are willing to\naccept on behalf of the Postal Service. Over a 5-month period in 2009, CIS offered C&A\ntraining to managers involved in developing applications in an effort to educate them on\ntheir roles and responsibilities in the C&A process. However, manager attendance was\noptional and, as a result, only few attended.\n\nIn addition, portfolio managers and executive sponsors are not held accountable for\nincorporating the C&A process and required documentation into the TSLC process.\nEach of the seven phases of the TSLC has corresponding security activities that\nmanagement must perform to maintain a secure environment. The C&A process and\nrequired documentation is incorporated into the TSLC process and conducted\nconcurrently with the development and deployment of new information resources.\n\n                Table 4: TSLC Phases and Required C&A Documentation\n\n             TSLC Phases                  C&A Required Documents\n             Initiate and Plan            EIR\n             Requirements BIA                 Questionnaire\n                                          C&A Recertification Letter, Risk Assessment,\n             Analysis and Design          and Security Plan\n             Build Not                        Applicable\n             System Integration Test      ST&E Plan and conduct security test\n                                          Accreditation Letter, Risk Acceptance Letter,\n                                          Certification Letter, RMP, C&A Acceptance\n             Customer Acceptance Test     Letter\n             Release Not                      Applicable\n\nBecause these issues continue to exist, we consider them repeat findings. As a result,\nmanagement increases the risk for potential disclosure of sensitive data such as credit\ncard data or personal identifiable information that may negatively impact the Postal\nService brand. See Appendix A, Prior Audit Coverage, for details on the prior OIG\nreports.\n\nUnmitigated Residual Risks\n\nManagement could not provide evidence that high residual risks were mitigated for\ncritical applications in production as agreed to during the C&A process. Once the C&A\nprocess is complete, the portfolio manager reviews the certification letter and the\nsupporting C&A documentation and escalates security concerns or prepares a RMP for\nany residual risks rated \xe2\x80\x9cmedium\xe2\x80\x9d or \xe2\x80\x9chigh\xe2\x80\x9d, recommending whether the risks should be\naccepted, transferred or further mitigated. If a documented vulnerability will not be\nmitigated, the portfolio manager and executive sponsor should prepare and sign an\n\n\n\n                                                 13\n\x0cCertification and Accreditation Process                                                          IS-AR-10-008\n\n\n\nacceptance of responsibility letter. In addition, the portfolio managers should work jointly\nwith the executive sponsor to review the C&A documentation package, accept the\nresidual risk, and approve the application for production or return the application to the\napplicable life cycle phase for rework.\n\nManagement could not provide documentation indicating they mitigated risks for seven\nof the eight production applications in our sample. For example:\n\n\xef\x82\xa7\n\n\n\n\n\xef\x82\xa7\n\n\n\n\n\xef\x82\xa7\n\n\n\n\n\xef\x82\xa7\n\n\n\n\n  Management can perform vulnerability scans to identify risks and to determine whether the residual risks\nassociated with the application are mitigated. Vulnerability scans evaluate applications for vulnerabilities and\ncompliance with Postal Service information security policies and standards. Scans are recommended for all\napplications and required for applications that require PCI compliance.\n\n\n\n                                                           14\n\x0cCertification and Accreditation Process                                  IS-AR-10-008\n\n\n\nIn January 2009, CIS began tracking the RMP for critical applications by using a\nspreadsheet maintained on a desktop computer. The spreadsheet is an informal,\ndecentralized mechanism that does not afford portfolio managers and executive\nsponsors access to the RMP information. For example, six of the eight applications in\nour sample are not currently included on the RMP tracking spreadsheet. The CIS\nmanager receives the spreadsheet monthly and, in turn, provides a copy to the vice\npresident, IT Business Solutions. While we commend management\xe2\x80\x99s initiative, no single\nentity is held accountable for tracking these risks and ensuring they are resolved as\nstated in the RMP and recertification letter. As a result, management cannot ensure\ncritical production applications are adequately protected to prevent security threats and\nvulnerabilities.\n\n\n\n\nC&A Documentation and Maintenance\n\nManagement is not consistently maintaining C&A documentation in the TSLC Artifacts,\nand CIS Team Documents libraries or updating the status of key C&A documentation in\nthe EIR. Currently, management maintains C&A documentation in two locations \xe2\x80\x93 the\nTSLC Artifacts and CIS Team Documents libraries. Although, we found C&A documents\nin these libraries, we were unable to locate a complete C&A documentation package for\nany of the 60 applications identified as having completed the C&A process. Specifically,\nof the 60 applications, we could not locate the following documents in either of the two\nlibraries:\n\n                             Table 5: Missing C&A Documentation\n                                                Number of\n                                             Applications with\n                        C&A Documents       Missing Documents    Percentage\n                   Approved BIA                    21               35\n                   Security Plan                   50               83\n                   Risk Assessment                 53               88\n\n                   ST&E Plan                       50               83\n                   Vulnerability Scan              58               97\n                   Contingency Plan                35               58\n                   Certification Letter            52               87\n                   RMP 51                                           85\n                   Acceptance Letter/Risk\n                   Acknowledgment Letter           49               82\n                   Accreditation Letter            53               88\n                   Recertification Letter          51               85\n\n\n\n                                              15\n\x0cCertification and Accreditation Process                                                    IS-AR-10-008\n\n\n\n\nFurther, the following documents were missing for the eight applications in our sample:\n\n                  Table 6: Missing C&A Documents \xe2\x80\x93 Sampled Applications\n\n\n C&A Documents*                                              Application Name\n\n\n Approved BIA\n Security Plan                  X                  X X\n Risk Assessment                                   XXX\n ST&E Plan                                    X X                                 X\n Vulnerability Scan         XX                                   X                X\n Contingency Plan                                                X                                        X\n Certification Letter       X                 X X                                                         X\n RMP                        X                 X\n Accreditation Letter       X                 X X                                                X        X\n Acceptance\n Letter/Risk\n Acknowledgment\n Letter/Conditional         X                 X X                                                         X\n Recertification\n Letter                               X         X                                 X                       X\n*An \xe2\x80\x98X\xe2\x80\x99 indicates the document was missing for that application.\n\nPolicy23 does not designate either the TSLC Artifacts or CIS Team Documents library as\nthe official repository for storing the C&A documentation or assign a single entity\nresponsible for maintaining the C&A documentation. By maintaining the documentation\nin a central location, management can simplify the C&A process, making it more\nefficient and effective, and ensure gaps are identified, which will help protect critical\napplications from security threats and vulnerabilities.\n\nThe EIR is a repository that provides centralized access to the application\xe2\x80\x99s information\nto include designated fields for entering key information instrumental to the C&A\nprocess. However, information entered in the fields was inconsistent, inaccurate, or\nmissing. For example,\n\n\xef\x82\xa7\n\n\n\xef\x82\xa7\n\n\n\n\n23\n     OIG report Information Security Assurance Process (Report Number IS-AR-06-009, dated May 4, 2006).\n\n\n\n                                                        16\n\x0cCertification and Accreditation Process                                                     IS-AR-10-008\n\n\n\n\xef\x82\xa7\n\n\n\nPolicy24 states portfolio managers should ensure applications are entered in the EIR\nand updated as required. The ISSOs should ensure the responsible project manager\nrecords the sensitivity and criticality designation in the EIR. The initial determination of\ncriticality for an information resource is determined during the BIA process.\nManagement should update the EIR when the BIA is completed. While management\nattempted to assign responsibility for maintaining accurate application information in the\nEIR in policy, no single entity is held accountable for updating and validating information\nrelated to the C&A process. Therefore, management cannot rely on the EIR information\nto make timely and credible decisions for securing and managing these applications.\n\nBecause these issues continue to exist, we consider these repeat findings. See\nAppendix A, Prior Audit Coverage, for details on the prior OIG reports.\n\n\n\n\n24\n  Handbook AS-805, Section 2-2.11, Portfolio Managers, Section 2-2.29, Information Systems Security Officers,\nSection 3-3.3, Recording Information Resource Classification and Categories of Information Processed, Section 9-\n9.3, Relationship of Criticality, and Recovery Time Objective, and Recovery Point Objective.\n\n\n\n                                                        17\n\x0cCertification and Accreditation Process                                                       IS-AR-10-008\n\n\n\n                              APPENDIX C: NON-MONETARY IMPACT\n\nThe following presents an estimate of the potential costs the Postal Service could incur\ndue to\n                    We based the total non-monetary impact of $359,984,152 on a\n1 day average of                                ) multiplied by a cost of $62 per\ntransaction. The calculation assumes each transaction may contain at least one\nelement of sensitive and critical information when, in fact, each transaction could\ncontain more than one piece of sensitive and critical information.\n\n\n                                                                  Costs per Record\n                               Cost Category                   Affected as Reported by\n                                                                 Ponemon Institute26\n                        Detection and Escalation\n\n                       Internal Investigation, Legal,\n                                                                             $ 8\n                           Audit, and Consulting\n\n                                 Notification\n\n                       Letters, Email, Telephone,\n                                                                             $ 15\n                      Published Media, and Website\n\n                            Ex-Post Response\n\n                        Mail, Email, Telephone (to\n                           Internal Call Center),\n                     Telephone (to Outsourced Call\n                         Center), Legal Defense,                             $ 39\n                          Criminal Investigations\n                      (forensics), Public or Investor\n                     Relations, Free or Discounted\n                                 Services\n                                   Total                                    $ 6227\n\n\n\n\n25\n\n\n\n\n   Ponemon Institute, LLC, Fourth Annual US Cost of Data Breach Study, dated January 2009. Ponemon Institute\nconducts independent research on privacy, data protection, and information security policy.\n27\n   The Ponemon Institute study reports the total cost per breach as $202; however, $139 of the costs contributed to\nlost business, which we determined is not applicable. These figures are exactly as those the Ponemon Institute\nreported. We attribute the $1 difference ($63 versus $62) to rounding the figures within each category.\n\n\n\n                                                         18\n\x0cCertification and Accreditation Process               IS-AR-10-008\n\n\n\n\n   APPENDIX D: C&A STATUS FOR 77 CRITICAL PRODUCTION APPLICATIONS\n\n\n\n\n                                          19\n\x0cCertification and Accreditation Process        IS-AR-10-008\n\n\n\n\n                                          20\n\x0cCertification and Accreditation Process        IS-AR-10-008\n\n\n\n\n                                          21\n\x0cCertification and Accreditation Process                        IS-AR-10-008\n\n\n\n\n                           APPENDIX E: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                          22\n\x0cCertification and Accreditation Process        IS-AR-10-008\n\n\n\n\n                                          23\n\x0cCertification and Accreditation Process        IS-AR-10-008\n\n\n\n\n                                          24\n\x0cCertification and Accreditation Process        IS-AR-10-008\n\n\n\n\n                                          25\n\x0c'